This website is kinda nicely done.
A lot of large companies like IBM now use 1PW.
And apparently they have a lot of new things in the pipeline.
Not necessarily, although it definitely complicates things. The biggest thing with a central data store is that it creates a very high-value target for hackers - so it’s important that it be super-secure.
2 Likes
True, but every 1password account is individually encrypted with a master password and unique secret key known only to the user. That says to me that if a hacker was able to download the entire site he would then have to hack 15 million accounts one at a time.
Right, currently. Assuming they don’t do anything to change that fundamental model. Assuming the account encryption they use on the back end doesn’t have any sort of exploitable weakness or backdoor. Assuming the ability for a friend or family member to get you back into your account doesn’t have any cryptographic weaknesses. Assuming there aren’t any just outright bugs in the code. Assuming…you get the point. 
I’m not saying there’s a weakness there to be found. I’m saying that there’s a lot of incentive for bad actors to find it, if there is one. And if 1PW puts themselves at the center of trying to redefine online security, the incentive goes up - not down.
1 Like
It never is a mistake to look elsewhere and to have options. I do not care about electron, I do not care about the subscription. But the next funding round and the fact that we are talking about $6 billion now… And their vision for the future… I do not see myself there any longer. I am not IBM.
So, I gave Bitwarden a try. And… I might stick to it. It took me about an hour to move all my 1PW data over to Bitwarden (using 1PW7 that is) and to create folders that fit my needs in Bitwarden. Time will tell. I feel more comfortable with open source. And free (or $10 per year for the premium version) is not that bad, either…
1 Like
Yes and no.
Yes, every password manager is ultimately subject to software bugs, the breaking of their underlying encryption, etc.
But no, not every password manager creates a high-value, centralized target. Any password manager that uses a locally-stored data store would logically require hackers to get each user’s data file separately. The per-file encryption may or may not be the same security, but the acquisition of the files would be more difficult.
In a context where a number of online password managers (1Password, LastPass, etc.) are actively growing their business and painting larger and larger targets on their backs, it’s worth keeping that fact in mind when evaluating future offerings.
2 Likes
Tools that target users’ systems are a bigger risk than attacks on zero-knowledge provider databases. For example, there are tools anyone can run to find KeePass files or ~/.password_store on a local filesystem or retail cloud storage, and fast brute forcing tools to apply once stolen. 1Password’s app’s local storage can also be targeted, but the secret key system offers additional protection. I would bet that the biggest risk to 1Password is using a cloud-based password manager solely in a browser with random extensions given full permissions; this is something no one should be doing regardless of how much they like their password service.
1 Like
So… what if you store a KeePass database file on a (presumably) safe cloud volume while that file’s corresponding KeePass lock key is stored only locally on each device? Still not as safe in your view compared to a Bitwarden/1Password/LastPass?
There’s no “KeePass lock key”, unless I’m really missing something. There’s only your master password. Your file is exactly as secure as your master password.
I know that targeting users’ systems is possible via botnets and such, so on a per-user level it’s likely true that the risk of their particular file being accessed is likely higher - but it doesn’t change the fact that 1PW has a much, much larger target on its back. Especially as their product evolves to take a more central place in peoples’ online lives.
This is where I’m skeptical. Are you saying that a “fast brute forcing tool” can crack a unique (i.e. “not in a public database of compromised passwords”) 30-character master password in a useful timeframe?
Absolutely. The biggest risk is always on the user’s computer / browser / ISP / tunnel to the server / everything that’s going through a third-party.
1 Like
@bwintx @webwalrus I think it’s possible to use KeePass and pass safely (I have a KeePass file for some stuff and reasonably believe it’s secure.) I just wouldn’t point out the risks of a password management service without presenting the risk to a local/user-managed service.
Any length of password used for KeePass (30 characters, etc.) would presumably also be used in 1Password’s zero-knowledge system in addition to the secret key’s additional protection.
Definitely.
Regarding this:
are you thinking that that something like a 30-character, non-public password is reasonably safe from the brute-forcing algorithms?
Absolutely! It’d probably be cheaper to steal your keyboard and do analysis of the wear than to pay for the parallel computing to finish that reasonably quickly. Edit: or just steal you. 
1 Like
Or your finger, if you use TouchID 
2 Likes
I don’t think there’s any way to brute force these in a reasonable timeframe (compared to the life of the Sun for example).
The advantage of decentralised approach is that literally no one’s data is worth spending that kind of computing power to crack.
1 Like
FYI
Just got a software update to v1.16.9 of the Strongbox app that, among other things, says that its 1Password Importer includes attachments now that they are being exported by 1Password v7.9.2.
3 Likes
Still riding the beta train here and 1Password are taking their time with the mac app and listening to feedback.
They’ve brought back categories into the left hand nav which had been removed and causing a fair amount of feedback about that particular one.
It’s becoming more polished and I’m quite happy with it now.
7 Likes
I was skeptical at first as well but honestly it’s been stable and they’re polishing it nicely. The real fun will be when I setup a Linux box and get my vaults installed.
1 Like
